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EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Stoycho D. Draganoff Registration No. 56,181 on February11, 2010. 

The application has been amended as follows: 

Claims 1, 5, 8, 12, 15, 16, 17, 18, 20, 21, 25, 29, 48, 52, 55 - 62 have been amended as 
follows: 

1 . (Currently Amended) A method, comprising the computer-implemented 
steps of: 

receiving trust information defining one or more trusted signatories; 
receiving, in association with a particular configuration directive, security 

information defining a number of required signatures and required 

principals; 

receiving configuration information comprising a hostname, one or more 

configuration directives for a host network element associated with the 
hostname, and two or more digital signatures of the hostname and the one 
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or more configuration directives; 

wherein the configuration information includes the particular configuration 

directive; 

wherein the two or more digital signatures comprise a first digital signature of a 
first portion of the one or more configuration directives by a first user, and 
a second digital signature of a second portion of the one or more 
configuration directives by a second user; 

receiving signature group data representing a collective authority and comprising 
a first identifier that identifies the first user responsible for the first portion 
of the one or more configuration directives and a second identifier that 
identifies the second user responsible for the second portion of the one or 
more configuration directives; 

wherein the configuration information specifies that the first portion and the 
second portion of the one or more configuration directives are to be 
applied to the host network element at the same time; 

attempting to verify the two or more digital signatures based on the trust 
information , the signature group data, and the security information; 

verifying that the two or more digital signatures are valid and that two or more 
principals respectively associated with the two or more digital signatures 
have the collective authority to perform the one or more configuration 
directives on the host network element; 

whoro i n, i n accordance w i th tho co l lect i ve author i ty, tho f i rst usor i s rospons i b l o 
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for th e f i rst port i on of th e 



conf i gurat i on d i r e ct i v e s, th e s e cond 



user i s rospons i b l o for tho second port i on of tho 



moro conf i gurat i on 



d i r e ct i v e s, and th e f i rst portion and th e s e cond port i on of th e 



conf i gurat i on d i rect i ves 



to bo app li ed to tho host network o l omont at 



t i m e ; 



applying the one or more configuration directives to the host network element 
only when the two or more digital signatures are verified successfully; 

wherein applying the one or more configuration directives comprises applying the 
particular configuration directive only when the configuration information 
has the number of required signatures by the required principals; 

wherein the steps of the method are performed by the host network element. 
8. (Currently Amended) A method, comprising the computer-implemented 

steps of: 

receiving trust information defining one or more trusted signatories; 

receiving configuration control information that includes a time period during 
which a valid digital signature is required for applying one or more 
particular configuration directives; 

receiving configuration information comprising a hostname, one or more 

configuration directives for a host network element associated with the 
hostname, one or more digital signatures of the hostname and the one or 
more configuration directives, and a date-time value; 

receiving signature group data representing a collective authority and comprising 
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a first identifier that identifies a first user responsible for a first portion of 
the one or more configuration directives and a second identifier that 
identifies a second user responsible for a second portion of the one or 
more configuration directives: 

wherein the configuration information specifies that the first portion and the 
second portion of the one or more configuration directives are to be 
applied to the host network element at the same time: 

determining if the date-time value is within the time period; 

determining if the one or more configuration directives have been previously 
received during the time period; and 

only when the date-time value is within the time period and the one or more 

configuration directives have not been previously received during the time 
period, attempting to verify the one or more digital signatures based on the 
trust information and the signature group data , and applying the one or 
more configuration directives to the host network element only when the 
one or more digital signatures are verified successfully; 

wherein the steps of the method are performed by the host network element. 
12. (Currently Amended) A method as recited in Claim 8, further comprising the 

steps of: 

verifying that the one or more digital signatures \s are valid and that one or more 
principals respectively associated with the one or more digital signatures 
have the collective authority to perform the one or more configuration 
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directives on the host network element. 

1 5. (Currently Amended) A method as recited in Claim 8, wherein the one or 
more digital signatures use public key cryptography, and wherein public keys for 
the one or more digital signatures are stored on the host. 

16. (Currently Amended) A method as recited in Claim 8, wherein the one or 
more digital signatures use public key cryptography, wherein public keys for the 
one or more digital signatures are stored on a key server and retrieved from the 
key server as part of attempting to validate the one or more digital signatures. 

17. (Currently Amended) A method as recited in Claim 8, wherein the one or 
more digital signatures use public key cryptography, and wherein public keys for 
the one or more digital signatures are received in a digital certificate and 
extracted from the digital certificate as part of attempting to validate the one or 
more digital signatures. 

18. (Currently Amended) A method for verifying configuration changes for 
network devices using digital signatures, comprising the computer-implemented 
steps of: 

receiving a public key for a user of the network devices; 

receiving configuration control information that includes a time period during 
which a valid digital signature is required for applying one or more 
particular configuration directives to a specified network device; 

receiving configuration information comprising a hostname, one or more 

configuration directives for the specified network device associated with 
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the hostname, one or more digital signatures of the hostname and the one 
or more configuration directives, and a date-time value; 

receiving signature group data representing a collective authority and comprising 
a first identifier that identifies a first user responsible for a first portion of 
the one or more configuration directives and a second identifier that 
identifies a second user responsible for a second portion of the one or 
more configuration directives: 

wherein the configuration information specifies that the first portion and the 
second portion of the one or more configuration directives are to be 
applied to the specified network device at the same time: 

determining if the date-time value is within the time period; 

determining if the one or more configuration directives have been previously 

received during the time period, by generating a secure hash of the one or 
more configuration directives and determining if the secure hash is found 
in memory; and 

only when the date-time value is within the time period and the one or more 

configuration directives have not been previously received during the time 
period, performing the steps of: 

attempting to verify the one or more digital signatures based on using the 
signature group data and generating a secure hash of the one or 
more configuration directives using the public key and comparing 
the secure hash to the one or more digital signatures, 
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and applying the one or more configuration directives to the specified 
network device only when the one or more digital signatures are 
verified successfully; 
wherein the steps of the method are performed by the specified network device. 

20. (Currently Amended) A method as recited in any of Claims 8 or 18, wherein 
the one or more digital signatures comprise a first digital signature of [[a]] the first 
portion of the one or more configuration directives by [[a]] the first user, a second 
digital signature of [[a]] the second portion of the one or more configuration 
directives by [[a]] the second user, and a third digital signature by a third user, 
wherein the third digital signature is applied to a resultant of the first digital 
signature and the second digital signature. 

21. (Currently Amended) A computer-readable volatile or non-volatile 
medium storing one or more sequences of instructions for verifying configuration 
changes for network devices using digital signatures, which instructions, when 
executed by one or more processors, cause the one or more processors to carry 
out the steps of: 

receiving trust information defining one or more trusted signatories; 
receiving, in association with a particular configuration directive, security 

information defining a number of required signatures and required 

principals; 

receiving configuration information comprising a hostname, one or more 

configuration directives for a host network element associated with the 
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hostname, and two or more digital signatures of the hostname and the one 
or more configuration directives; 
wherein the configuration information includes the particular configuration 
directive; 

wherein the two or more digital signatures comprise a first digital signature of a 
first portion of the one or more configuration directives by a first user, and 
a second digital signature of a second portion of the one or more 
configuration directives by a second user; 

receiving signature group data representing a collective authority and comprising 
a first identifier that identifies the first user responsible for the first portion 
of the one or more configuration directives and a second identifier that 
identifies the second user responsible for the second portion of the one or 
more configuration directives; 

wherein the configuration information specifies that the first portion and the 
second portion of the one or more configuration directives are to be 
applied to the host network element at the same time: 

attempting to verify the two or more digital signatures based on the trust 
information , the signature group data, and the security information; 

verifying that the two or more digital signatures are valid and that two or more 
principals respectively associated with the two or more digital signatures 
have the collective authority to perform the one or more configuration 
directives on the host network element; 



Application/Control Number: 10/822,927 Page 10 

Art Unit: 2436 

wh e r ei n, i n accordanc e w i th th e co l l e ct i v e author i ty, th e f i rst us e r i s r e spons i b le 
for tho f i rst port i on of tho ono or moro conf i gurat i on d i roct i vos, the second 
us e r i s r e spons i b le for th e s e cond port i on of the on e or mor e conf i gurat i on 
d i roct i vos, and tho f i rst port i on and tho socond port i on of tho ono or moro 
conf i gurat i on d i r e ct i v e s ar e to be app lie d to th e host n e twork ele m e nt at 
tho samo t i mo; 

applying the one or more configuration directives to the host network element 
only when the two or more digital signatures are verified successfully; 

wherein applying the one or more configuration directives comprises applying the 
particular configuration directive only when the configuration information 
has the number of required signatures by the required principals. 
25. (Currently Amended) An apparatus for verifying configuration changes for 

network devices using digital signatures, comprising: 

means for receiving trust information defining one or more trusted signatories; 
means for receiving, in association with a particular configuration directive, 

security information defining a number of required signatures and required 

principals; 

means for receiving configuration information comprising a hostname, one or 
more configuration directives for a host network element associated with 
the hostname, and two or more digital signatures of the hostname and the 
one or more configuration directives; 

wherein the configuration information includes the particular configuration 



Application/Control Number: 10/822,927 Page 1 1 

Art Unit: 2436 

directive; 

wherein the two or more digital signatures comprise a first digital signature of a 
first portion of the one or more configuration directives by a first user, and 
a second digital signature of a second portion of the one or more 
configuration directives by a second user; 

means for receiving signature group data representing a collective authority and 
comprising a first identifier that identifies the first user responsible for the 
first portion of the one or more configuration directives and a second 
identifier that identifies the second user responsible for the second portion 
of the one or more configuration directives; 

wherein the configuration information specifies that the first portion and the 
second portion of the one or more configuration directives are to be 
applied to the host network element at the same time; 

means for attempting to verify the two or more digital signatures based on the 
trust information , the signature group data, and the security information; 

means for verifying that the two or more digital signatures are valid and that two 
or more principals respectively associated with the two or more digital 
signatures have the collective authority to perform the one or more 
configuration directives on the host network element; 

whoro i n, i n accordanco w i th tho col l ective author i ty, tho f i rst usor i s rospons i b l o 
for th e f i rst port i on of th e on e or mor e conf i gurat i on d i r e ct i v e s, th e s e cond 
usor i s rospons i b l o for tho second port i on of tho ono or moro conf i gurat i on 
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d i r e ct i v e s, and th e f i rst port i on and th e s e cond port i on of th e on e or mor e 
conf i gurat i on d i rect i ves aro to bo app li ed to tho host network o l omont at 
th e sam e t i m e ; 

means for applying the one or more configuration directives to the host network 
element only when the two or more digital signatures are verified 
successfully; 

wherein the means for applying the one or more configuration directives 

comprise means for applying the particular configuration directive only 
when the configuration information has the number of required signatures 
by the required principals. 
29. (Currently Amended) An apparatus for verifying configuration changes for 
network devices using digital signatures, comprising: 

a network interface that is coupled to the data network for receiving one or more 

packet flows therefrom; 
a processor; 

one or more stored sequences of instructions which, when executed by the 
processor, cause the processor to carry out the steps of: 
receiving trust information defining one or more trusted signatories; 
receiving, in association with a particular configuration directive, security 

information defining a number of required signatures and required 

principals; 

receiving configuration information comprising a hostname, one or more 
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configuration directives for a host network element associated with 
the hostname, and two or more digital signatures of the hostname 
and the one or more configuration directives; 
wherein the configuration information includes the particular configuration 
directive; 

wherein the two or more digital signatures comprise a first digital signature 
of a first portion of the one or more configuration directives by a first 
user, and a second digital signature of a second portion of the one 
or more configuration directives by a second user; 

receiving signature group data representing a collective authority and 
comprising a first identifier that identifies the first user responsible 
for the first portion of the one or more configuration directives and a 
second identifier that identifies the second user responsible for the 
second portion of the one or more configuration directives: 

wherein the configuration information specifies that the first portion and 
the second portion of the one or more configuration directives are 
to be applied to the host network element at the same time; 

attempting to verify the two or more digital signatures based on the trust 
information , the signature group data, and the security information; 

verifying that the two or more digital signatures are valid and that two or 
more principals respectively associated with the two or more digital 
signatures have the collective authority to perform the one or more 
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configuration directives on the host network element; 

whoro i n, i n accordance w i th tho co ll oct i vo author i ty, tho f i rst usor i s 

r e spons i b le for th e f i rst portion of the on e or mor e conf i gurat i on 
d i roct i vos, tho second usor i s rospons i b l o for tho second port i on of 
th e on e or mor e conf i guration d i r e ct i v e s, and th e f i rst port i on and 
tho second port i on of tho ono or moro conf i gurat i on d i roct i vos aro 
to b e app lie d to th e host n e twork ele m e nt at th e same t i m e ; 

applying the one or more configuration directives to the host network 
element only when the two or more digital signatures are verified 
successfully; 

wherein applying the one or more configuration directives comprises 
applying the particular configuration directive only when the 
configuration information has the number of required signatures by 
the required principals. 
48. (Currently Amended) A computer-readable volatile or non-volatile medium 
storing one or more sequences of instructions which, when executed by one or 
more processors, cause the one or more processors to perform steps comprising: 
receiving trust information defining one or more trusted signatories; 
receiving configuration control information that includes a time period during 
which a valid digital signature is required for applying one or more 
particular configuration directives; 
receiving configuration information comprising a hostname, one or more 
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configuration directives for a host network element associated with the 
hostname, one or more digital signatures of the hostname and the one or 
more configuration directives, and a date-time value; 

receiving signature group data representing a collective authority and comprising 
a first identifier that identifies a first user responsible for a first portion of 
the one or more configuration directives and a second identifier that 
identifies a second user responsible for a second portion of the one or 
more configuration directives: 

wherein the configuration information specifies that the first portion and the 
second portion of the one or more configuration directives are to be 
applied to the host network element at the same time; 

determining if the date-time value is within the time period; 

determining if the one or more configuration directives have been previously 
received during the time period; and 

only when the date-time value is within the time period and the one or more 

configuration directives have not been previously received during the time 
period, attempting to verify the one or more digital signatures based on the 
trust information and the signature group data , and applying the one or 
more configuration directives to the host network element only when the 
one or more digital signatures are verified successfully. 
52. (Currently Amended) The computer-readable volatile or non-volatile 

medium as recited in Claim 48, wherein the one or more sequences of 
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instructions further comprise instructions which, when executed by the one or 
more processors, cause the one or more processors to perform the step of: 
verifying that the one or more digital signatures are valid and that one or more 
principals respectively associated with the one or more digital signatures 
have the collective authority to perform the one or more configuration 
directives on the host network element. 

55. (Currently Amended) The computer-readable volatile or non-volatile 
medium as recited in Claim 48, wherein the one or more digital signatures use 
public key cryptography, and wherein public keys for the one or more digital 
signatures are stored on the host network element. 

56. (Currently Amended) The computer-readable volatile or non-volatile 
medium as recited in Claim 48, wherein the one or more digital signatures use 
public key cryptography, wherein public keys for the one or more digital 
signatures are stored on a key server and retrieved from the key server as part of 
attempting to validate the one or more digital signatures. 

57. (Currently Amended) The computer-readable volatile or non-volatile 
medium as recited in Claim 48, wherein the one or more digital signatures use 
public key cryptography, and wherein public keys for the one or more digital 
signatures are received in a digital certificate and extracted from the digital 
certificate as part of attempting to validate the one or more digital signatures. 

58. (Currently Amended) The computer-readable volatile or non-volatile 
medium as recited in Claim 48, wherein the one or more digital signatures 
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comprise a first digital signature of the one or more configuration directives by 
[[a]] the first user, and a second digital signature by [[a]] the second user, wherein 
the second digital signature is applied to a resultant of the first digital signature. 

59. (Currently Amended) The computer-readable volatile or non-volatile 
medium as recited in Claim 48, wherein the one or more digital signatures 
comprise a first digital signature of [[a]] the first portion of the one or more 
configuration directives by [[a]] the first user, a second digital signature of [[a]] the 
second portion of the one or more configuration directives by [[a]] the second 
user, and a third digital signature by a third user, wherein the third digital 
signature is applied to a resultant of the first digital signature and the second 
digital signature. 

60. (Currently Amended) A computer-readable volatile or non-volatile medium 
storing one or more sequences of instructions for verifying configuration changes 
for network devices using digital signatures, which instructions, when executed 
by one or more processors, cause the one or more processors to perform steps 
comprising: 

receiving a public key for a user of the network devices; 

receiving configuration control information that includes a time period during 
which a valid digital signature is required for applying one or more 
particular configuration directives to a specified network device; 

receiving configuration information comprising a hostname, one or more 

configuration directives for the specified network device associated with 



Application/Control Number: 10/822,927 Page 18 

Art Unit: 2436 

the hostname, one or more digital signatures of the hostname and the one 
or more configuration directives, and a date-time value; 

receiving signature group data representing a collective authority and comprising 
a first identifier that identifies a first user responsible for a first portion of 
the one or more configuration directives and a second identifier that 
identifies a second user responsible for a second portion of the one or 
more configuration directives: 

wherein the configuration information specifies that the first portion and the 
second portion of the one or more configuration directives are to be 
applied to the specified network device at the same time: 

determining if the date-time value is within the time period; 

determining if the one or more configuration directives have been previously 

received during the time period, by generating a secure hash of the one or 
more configuration directives and determining if the secure hash is found 
in memory; and 

only when the date-time value is within the time period and the one or more 

configuration directives have not been previously received during the time 
period, performing the steps of: 

attempting to verify the one or more digital signatures based on using the 
signature group data and generating a secure hash of the one or 
more configuration directives using the public key and comparing 
the secure hash to the one or more digital signatures, and 
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applying the one or more configuration directives to the specified network 
device only when the one or more digital signatures are verified 
successfully. 

61 . (Currently Amended) The computer-readable volatile or non-volatile 
medium as recited in Claim 60, wherein the one or more digital signatures 
comprise a first digital signature of the one or more configuration directives by 
[[a]] the first user, and a second digital signature by [[a]] the second user, wherein 
the second digital signature is applied to a resultant of the first digital signature. 

62. (Currently Amended) The computer-readable volatile or non-volatile 
medium as recited in Claim 60, wherein the one or more digital signatures 
comprise a first digital signature of [[a]] the first portion of the one or more 
configuration directives by [[a]] the first user, a second digital signature of [[a]] the 
second portion of the one or more configuration directives by [[a]] the second 
user, and a third digital signature by a third user, wherein the third digital 
signature is applied to a resultant of the first digital signature and the second 
digital signature. 

Allowable Subject Matter 

The following is an examiner's statement of reasons for allowance. 
Claims 1, 8, 18, 21, 25, 29, 48, 60 are allowed based on the following: 
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The prior art of record, considered individually or in combination, fails to fairly 
show or suggest: receiving signature group data representing a collective authority and 
comprising a first identifier that identifies the first user responsible for the first portion of 
the one or more configuration directives and a second identifier that identifies the 
second user responsible for the second portion of the one or more configuration 
directives; and wherein the configuration information specifies that the first portion and 
the second portion of the one or more configuration directives are to be applied to the 
host network element at the same time, in addition to the other limitations in a manner 
as recited in claims 1,4-21,23-25, 27- 29, 31, 32, 34 - 37, 39 - 42, 44 - 62. 

Claims 4 - 7 are allowed due to allowed base claim 1. 
Claims 9 - 17 are allowed due to allowed base claim 8. 
Claims 19, 20 are allowed due to allowed base claim 18. 
Claims 23, 24 are allowed due to allowed base claim 21 
Claims 27, 28, 39 - 42 are allowed due to allowed base claim 25. 
Claims 31, 32, 34 - 37, 44 - 47 are allowed due to allowed base claim 29 
Claims 49 - 59 are allowed due to allowed base claim 48. 
Claims 61, 62 are allowed due to allowed base claim 60. 

So as indicated by the above statements, Applicant's arguments have been 
considered persuasive, in light of the set of claims with limitations as well as the 
enabling portions of the specification. The dependent claims further limit the 
independent claims and are considered allowable on the same basis as the 
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independent claims as well as for the further limitations set forth. 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Conclusion 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 



Application/Control Number: 10/822,927 Page 22 

Art Unit: 2436 

Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Supervisory Patent Examiner, Art Unit 2436 Examiner 
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